Anti SQL Injection, how it works on samp -
Lester23 - 16.04.2017
Hi I'm kinda new to this so I'm asking you people how can I protect my server from sql injections ? I do have a gamemode (just playing with it around) and saw some people talking about sql injections, so I began to get worried a bit
I looked over internet and saw a Injection in /changepass :
Код:
', playerMoney = '1' WHERE playerName = 'x' #
, I tried to do it on my server and didn't work, yay. My question is how can someone inject in your DB ? (commands, etc) and yet how do I protect it ? I don't want a tutorial tho, just for general knowledge.
Thank you !!
Re: Anti SQL Injection, how it works on samp -
Vince - 16.04.2017
With SQLIte use %q for strings in format(), with MySQL use %e for strings in mysql_format. That's sufficient. In other languages (e.g. PHP) use prepared queries.
Interactive demo:
https://www.codebashing.com/sql_demo
Re: Anti SQL Injection, how it works on samp -
Lester23 - 16.04.2017
Yeah... figured out I have %s vulnerability and it crashes my server :S
mind helping me please? I added this below the last #include
I tried to add this static const antisqlinjection[][] = {
"'",
"#",
"`",
"%"
};
and this to public OnDialogResponse, right below public OnDialogResponse(playerid, dialogid, response, listitem, inputtext[])
for(new i; i < sizeof(antisqlinjection); i++)
{
if(strfind(inputtext, antisqlinjection[i], true) != -1)
{
SCM(playerid, COLOR_YELLOW, " There are also allowed characters.");
return 1;
}
}
I can make another thread if needed, but please help :S the compiler just crashes.
Re: Anti SQL Injection, how it works on samp -
DRIFT_HUNTER - 16.04.2017
mysql_real_escape_string or mysql_format with %e for user input strings.